NAT - IPSEC Tunnel Mode

[Alex Kerschl]

Hello NG,

Is it possible to publish (reverse NAT) a Windows 2003 Server which is
endpoint
of IPSec connection in tunnel mode (if VPN client and Server uses the NAT-T
feature)?

Client -->-----(Firewall with reverse NAT)---->----(RRAS Server 2003)


Why is it not possible to establish a IPSec tunnel mode connection to a
Windows 2003 Server with ISA or NAT on it?

Client --->----(RRAS+NAT on Windows 2003)


Thanks

Alex

 

[Michael Johnston [MSFT]]

It is possible to publish a IPSec server behind a NAT device with a new feature in Windows server 2003 called NAT-T(NAT
traversal). For more information please reference 818043 L2TP/IPSec NAT-T Update for Windows XP and Windows 2000
http://support.microsoft.com/?id=818043.

It is also possible to establish a IPSec tunnel connection to an ISA server. Are you having any specific problems associated
with this?


Thank you,
Mike Johnston
Microsoft Network Support
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the
terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from
which they originated.

 

[Alex Kerschl]

Thanks for your answer. But I don't want to create a L2TP/IPSec Connection.

A IPSec tunnel connection (configured with IPSec Policies in the security
policies in mmc) doesn't work with a machine as endpoint with NAT installed
on it. I tried Q816514.

You said it will work with ISA. How is your configuration? It does not work
like it is decribed in Q816514.

Alex

It is possible to publish a IPSec server behind a NAT device with a new

feature in Windows server 2003 called NAT-T(NAT

traversal). For more information please reference 818043 L2TP/IPSec

NAT-T Update for Windows XP and Windows 2000

http://support.microsoft.com/?id=818043.

It is also possible to establish a IPSec tunnel connection to an ISA

server. Are you having any specific problems associated

with this?


Thank you,
Mike Johnston
Microsoft Network Support

rights. Use of included script samples are subject to the

terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this

message are best directed to the newsgroup/thread from

 

[gio]

Hi Alex

Did you see an ipsec tunnel work without NAT?
I'm trying to setup a router to router ipsec tunnel environment using local
security policy on the two routers.

I followed step by step Q816514, mirroring the setup for NetB
No domain, using preshared very simple keys
Can't get it work
Also some steps are not clear to me, for exemple:

Build a Filter List from NetA to NetB
Build a Filter List from NetB to NetA
these two rules are to be configured on a single router isn't it?
so why not to use 'mirror rules' ???

this is my setup:

192.168.2.10(client)------------(192.168.2.1 -Router1- 192.168.100.1) ----
(192.168.100.2 -Router2- 192.168.3.1) -------------192.168.3.10

I configured the policy only on router1 ant router2, no domain, no gpo...
only 2 local sec.policy

Made a lot of test with a little changes but... nothing...

it doesn trigger any 'security association'....

did you see this setup (NO NAT) ever working???

thanx
Gio

 

[David Beder [MSFT]]

as far as I know, nat traversal is for transport mode esp only.

--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[David Beder [MSFT]]

Mirrored filters don't help for tunnel mode as each rule will need a
separate tunnel endpoint and therefor only one of the two filters in the
mirrored pair would ever want to get invoked and you could potentially cause
a conflict. The idea is something like this:
data coming from client 1, destined for client 2 (src=2.10, dst=3.10) must
be tunneled to r2 (100.2).
the mirror of this would be src=c2, dst=c1 but the rule would still have you
tunneled to r2 which is not the correct tunnel endpoint for that direction
of the traffic. Instead you want.
data coming from client 2, destined for client 1 (src=c2, dst=c1) must be
tunneled to r1 (100.1).

when traffic flows between the clients, you should see an SA attempted
between the routers.
--
David
Microsoft Windows Networking
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[gio]

The idea is something like this:

data coming from client 1, destined for client 2 (src=2.10, dst=3.10) must
be tunneled to r2 (100.2).

Perfect explaination, thanx a lot
Now is all clear... (and working!!) ;-)